Asked and Answered: 5 Questions from Our Webinar with Savage Security

On October 3rd, we held a webinar with our friends over at Savage Security, called Going Savage: Strategies for Taking Control of Your Cybersecurity Fate. Our CTO Todd O’Boyle and Adrian Sanabria of Savage conducted a lively discussion about how you can “plan to fail,” and in doing so protect your organization against security threats far more effectively. Afterward, they fielded some great audience questions, and we’ve featured several of them below, so you can borrow their wisdom for yourself.

Question 1: It sounds like the best response during a security breach is timely transparency. Are there any other actions companies should take to combat or avoid negative PR?

Adrian: Speed is the key, and you need to read what people are saying in real-time. For example, that’s one thing Equifax did a good job on in the aftermath of their recent breach. People who were locking down their credit after the breach were getting online and criticizing the company, because the pin to lock down their credit was just an 8-digit time stamp—the date and time the transaction went through. People weren’t comfortable with that, because it’s potentially easy to crack with brute force. Equifax changed this pretty quick. They turned around a randomized pin in a day or two. That’s a good example of how you can listen to what people are saying and respond. Even when a breach is pretty huge and pretty bad, there are still things you can do to mitigate the fallout. Transparency and speed are the two big keys.

Question 2: In the event of a security breach, how do I convince upper management to follow through with my incident response plan?

Todd: If you have to do any convincing, you’re doing your planning wrong. Leadership in your organization should be completely bought in ahead of time. Remember, this is not a technical problem we’re addressing here. It’s a people problem. Your incident response plan has to include PR, marketing, and all of the executives in your company being bought in before a breach happens. They need to be part of creating and cementing this plan, and they must agree on how you are going to communicate to the public. Salespeople may also need to talk to customers about a breach, and they will need details to be able to do that effectively.

Long story short: If your leadership isn’t bought in to your plan, you’re not spending enough time on the non-technical aspects of planning ahead.

Question 3: You can educate your employees, but how do you motivate them to report potential phishing attempts?

Adrian: I’ve seen some vendors in this space who show statistics to users, trying to encourage a feeling of pride that you’re doing something for your company and helping to protect it. That can work. Also, in general, phishing awareness is a really good skill for everyone to have. Odds are you will get phished at home, in your personal life—not just at work. So this is something that everyone should want to get good at, even if it’s just for personal reasons. I’ve seen it incentivized that way.

Within your organization, you can also publicly recognize the person who finds a phishing attempt, just like you’d recognize someone for other accomplishments, like garnering the top sales for the month. The reality is anyone who catches a phish is potentially preventing losses to the whole business by spotting it and keeping others from falling for it.

Todd: Additionally, if your organization gets good at reporting potential phishes, one person in your organization is inevitably going to stop an attack on someone else. You can give them a “hero award” for this and put them on a pedestal for doing right by the organization.

Question 4: You mentioned metrics when answering to the board’s question: “How secure are we?” How exactly can we collect metrics, especially when security is a combination of education and security products?

Adrian: This is a huge, ongoing challenge. It’s really tough. A lot of metrics don’t mean much. They tell you more about the volume of bad stuff happening on the internet than about your own organization and its ability to stop threats. That’s why i’ve gotten interested in the attack simulation market. Because, in a lot of ways, I think the problem with how we do security currently is that we put these controls in place, but we don’t really have a good way to test them, aside from just waiting for bad stuff to happen. That’s not the most comfortable way to test how a control works.

For example, we’ve seen situations where someone forgets the last step of configuration. We’ve seen other cases where network security monitoring products are plugged into the wrong ports. So instead of seeing the whole organization, they just see five servers. Yikes. Simple functional tests can give you some metrics that tell you whether your products are working. Then you can take a step beyond that and do efficacy tests, for example, running simulations based on attacks that are happening in the wild. Would you survive it? Would you detect it? Would you prevent it?

Todd: I agree with Adrian. I’ve been in security for a long time, and here’s the reality: We’ve been making vanity metrics up as long as security has existed. Like counting the beeps and log entries we need to go through each day… That is just not getting us anywhere close to where we need to go. Today, we’ve floated a couple of important areas that should be measured, things like how fast your organization can respond to an attack.. When is your first contact with the public between post-breach discovery? Those are really valuable metrics you can use to measure the whole organization’s security. On top of those, I’ve always found that doing exercises and tabletop simulations are really key to understanding an entire attack and how well you are prepared for it. For example, just look qualitatively at how you would respond to a phishing attack that targets financial information or one that wants to steal data or a ransomware attack. Walking through these scenarios is a very effective exercise. So, instead of focusing too much on vanity metrics, I recommend you sit down with a piece of paper and an afternoon and a small team and walk through some real-world scenarios.

Question 5: Who should be involved when creating an incident response plan? And since employee education and transparency seem to be a theme, should my team have access to this plan?

Adrian: Every time I’ve made an incident response plan, I sit and look at it and realize: This isn’t the type of thing you want to hand to everyone. It gets into a lot of details, like the phone number of our local FBI office and our contact there. Not everybody needs that level of information. Instead, I tend to like to break it out for different audiences. Break out the parts that PR needs to know. For the average employee, the most important thing to know is how to report something suspicious. I want them to know how to do that off the top of their heads. Put it on something they can print out, or put posters on the wall. Going back to metrics, one of the things to measure is how quickly I can get that info to someone who can do something about it. If it’s a link in a phishing email, I want to blackhole the domain as quickly as possible. How can I cut down the time?

Todd: What really changes the game is practice. It changes everything. You don’t need to beat people over the head to memorize your incident response plan. If they practice enough, it’ll be ingrained in them, and then they’ll know what to do when a real scenario happens.

Adrian: Also remember 50 percent of plans fail on contact with the enemy. So, to paraphrase Mike Tyson, you have to figure out how to get punched in the face without it hurting too much, and on a regular basis.

Thanks to everyone who joined us. We hope to have you at the next one, too!